Files
rutster/fuzz/README.md
Aaron D. Lee 0eb20b729a
Some checks failed
CI / fmt (push) Successful in 1m32s
CI / clippy (push) Successful in 1m31s
CI / test (1.85) (push) Successful in 3m57s
CI / deny (push) Has been cancelled
CI / test (stable) (push) Has been cancelled
docs(reviews/2026-07-03): P4 fix — sweep status staleness + re-aim fuzz/README (#11)
Co-authored-by: Aaron D. Lee <himself@adlee.work>
Co-committed-by: Aaron D. Lee <himself@adlee.work>
2026-07-04 01:44:27 +00:00

2.5 KiB

fuzz/ — cargo-fuzz harness directory (placeholder)

Status: placeholder. Not yet a cargo-fuzz project — just the directory.

ADR-0007 abolished the first-party SIP parser (the original reason this directory was pre-paved), so the original sip_parser / sdp_parser fuzz targets are gone from the plan. The hostile-byte surfaces that do exist post-0007, and that the harnesses here will eventually target, are:

  • Tap protocol frames (crates/rutster-tap/src/protocol.rs) — the WS framing between the core and an external brain. This is hostility surface #1 today: a brain is an untrusted process and its frames cross the FOB boundary. Slice-2 ships this surface without a fuzzer; the harness should land as soon as third-party brains exist (P6 of the 2026-07-03 adversarial review — the protocol should also carry an auth field by then).
  • RTP packets at the str0m input (slice-1's rtc_session.rs media ingress) — every byte str0m hands us is potentially hostile before str0m validates it; fuzz at the str0m-RtcSession boundary, not str0m internally.
  • Opus decoder inputs (crates/rutster-media codec boundary) — a malicious or malformed RTP payload hits the Opus decoder. Fuzz the decoded-PCM contract (finite-length, sane amplitude range), not the decoder internals.
  • Provider media-fork framing (spearhead step 5, post-ADR-0007) — the rented transport's media-fork delivers bytes that the CPaaS framed; that framing is the post-0007 equivalent of the SIP/SDP parser surface. Lands with step 5.

Slice 1 says "the browser is trusted" for the WebRTC ingress, which is correct for the signaling surface (str0m validates SDP). But the media plane accepts RTP from any peer that completed ICE, which makes the RTP/Opus surfaces above hostile-by-default regardless of signaling trust.

If you're populating this directory, replace it with:

  • fuzz/Cargo.toml — cargo-fuzz manifest.
  • fuzz/fuzz_targets/tap_protocol.rs — fuzz the tap protocol frame decoder.
  • fuzz/fuzz_targets/rtp_packet.rs — fuzz the str0m-RtcSession RTP input.
  • fuzz/fuzz_targets/opus_payload.rs — fuzz the Opus→PCM decoder boundary.
  • A CI job running a short fuzz burst on each PR.

The hot-path "drop + observe, don't crash" policy (ARCHITECTURE.md Media plane; slice-4 spec §3.6) is what the harnesses assert against: throw arbitrary bytes at the surface, assert it returns an error or drops silently — never panics. A dropped packet must not terminate the peer.